SSL Certificates Made EASY With Traefik Proxy, Clouflare, and Let's Encrypt - Tutorial

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
welcome back everybody today marks an exciting milestone in our home lab Journey we're going to be taking all of what we've learned so far and we're going to be exposing our first container through a reverse proxy with SSL certificates so how are we going to do that well we're going to be using traffic which is a container first proxy which is able to be dynamically configured through code and also is able to pull automatically valid certificates from the internet so what does that mean well at the moment your nginx container is simply being served over Port 80 in http what does that mean that's plain text that means that that connection is not encrypted so if anybody was sitting on your network anyone was intercepting packets on your switch they could see every single thing you are doing and that's why there's been such a huge push over the past sort of 10 years or so to make sure that when you're going to websites Etc you'll see that green padlock now green padlock in a browser means that it's using SSL encryption and that encryption is valid I.E the certificate is issued by a valid Authority we're not going to get into that too much today but you can go and read up about how that works so by the end of this video you'll have Docker serving nginx containers through a traffic proxy with valid SSL certs one important thing to note for this video is you're going to need a valid domain what does that mean well just like google.com youtube.com you need a domain that you own this allows you to point a domain to your IP address so that you can say mydomain.com and it's going to land at your IP address with a valid domain you can then be served valid SSL certificates to ensure that your traffic is end-to-end encrypted now I recommend you go and buy a cheap domain you can go to somewhere like cloudflare and you can pick up domains usually for a few pounds a year you don't need anything fancy for this you can even use a free domain if you wanted to and don't worry you don't even need to have a static IP address you can use Dynamic DNS like I do because I don't have a static IP address and thankfully sofas XG supports this out of the box and I'll cover that in a later video now that you have your domain you're ready to install traffic so let's head over to their website and have a look at the installation instructions we're going to be installing this in Docker on our Docker VM now there's two ways you can do this as I've shown you previously you can actually do this really easily through the GUI on portana and that's fine if you want to go and do that there's nothing wrong with that but there's also the dock compose way which I recommend because you have granular control over the code that's the way we're going to be doing it in this video but again you can just go to the catalog in portina and deploy traffic that way one thing that's great about traffic is it has let's encrypt support built in what's let's encrypt I hear you say well as I mentioned before there's been a real drive over the past decade to get everybody onto https now thankfully there's a not-for-profit organization called let's encrypt who have helped people on that Journey so they offer you free valid SSL certificates free valid yeah it's pretty awesome I've been using them for years and I know a lot of other YouTubers in the space use it haven't had any issues and I highly recommend them so with that in mind we're going to be using let's encrypt to pull our certificates using traffic so on the installation page we want to find the instructions for Docker with let's encrypt you'll also notice that there's a Helm chart now don't worry too much about Helm charts we'll get on to those when we do kubernetes later on but just to know as this is a container first proxy it's a great choice for kubernetes another benefit of traffic is that it has a great dashboard built into it and I've showed you that on my previous videos now the good thing about this is it's a read-only one so in terms of security not too much of a risk it shows you all of the things that you'll need to know and it's a great tool for debugging it gives you a single pane of glass to make sure that your proxy is set up and configured properly and helps you pin down problems really quickly so now that we've found the docker installation guide with let's encrypt support let's have a look at what that actually does so just like before we want to make a new folder within our Docker compose folder just for traffic and we want to create a docker-compose.yaml file and we're going to copy and paste that content in there so the first thing you're going to note is this version 3.3 and it's version 2.10 of traffic we're given the container name traffic that all makes sense and then we're going to get into some interesting commands so by using let us encrypt and pulling down valid certificates there's a few changes to the default installation instructions that we need to make there's also another slight Nuance that you need to be aware of although it doesn't matter which one you choose you can validate your domain by using a DNS challenge or a TLS challenge we're going to be using the DNS so what does that mean what's a DNS challenge well as you know a DNS domain naming service is the way that we find out the IP address for a website using a name so when you type in google.com it gives you the IP address so that your router Gateway Etc knows how to find it so in a DNS challenge what let's encrypt is going to do is with your credentials which we'll provide in the config file it's going to log in to your cloudflare or whoever your domain registrar is and it's going to create a temporary record now when it does The Challenge it's going to look for that record in there now it knows that you own the domain because only you could have written it I.E only you have access to the API or the login portal to be able to put that record in so when it does that challenge and finds it it goes hey yeah you are you therefore you can download and have a valid certificate so not only does that certificate provide you with encryption end to end it also verifies your identity now that's really important because you could have an encrypted tunnel to anybody and I've said before that most malware nowadays will have an encrypted command and control center so that means you can't actually see what's going in and out of your network so the identity check Works in a similar way with public key encryption so they give you a public key to encrypt a message you send that off and only they can decrypt it because they have the private key we're not going to go into too much but have a look at public private key it's basically how the internet works and what that does is validates that only they could read that message therefore they must be the holder of the private key and therefore they must be who they say they are okay thanks for sticking with me on the theory lesson now let's get on to the installation steps so the first thing we want to do is to create some config files now the first config file we'll want is the docker compose and now I'll mention that we're going to have to tweak that now I've tweaked mine to include the steps necessary to do this with a cloudflare DNS registrar the key Parts you can see are in the environment section so when you create and register your domain with cloudflare you need to go and create an API token that's really simple you just need to log in go into your account settings and generate an API key with those just paste your email address and the API token here we're also going to add some volumes which as I mentioned before these are persistent volumes that will reside on your Docker VM so the ones that we're most interested in are the config the Acme and the traffic yaml files so the traffic yaml is additional configuration settings for how we're going to generate those certificates along with some other parameters such as entry points the Acme is where the actual private key for the certificate is going to be stored and then the config is just additional config parameters but we're going to leave that blank for this video the logs are pretty self-explanatory you can tell traffic to print the logs to a file in case you wanted to pass it elsewhere we're not going to do that in this video and later on we're going to use things like crowdsec to actually look at our logs for us the next bits of note in the labels section are we're going to enable traffic so enable equals true we're going to create an entry point of HTTP now that relates to that Port 80 as I said before 80 is typically associated with HTTP traffic we're going to create a URL for our dashboard we need to generate a basic auth password and I'll show you how to do that in a moment because it's base encoded and I've also said that we want to create a redirect scheme here so a bit like if you just typed in google.com you wouldn't expect to have to go https that should be implied right so what this will do is regardless of what you type in if you just put your domain name in it will redirect you to the htts port 443 and everything you do over that session will be encrypted that then points you to that https entry point so same as this entry point here these are just as it says ways to get into the proxy I.E what the proxy will listen to and respond to that's going to use the same URL it's going to have TLS enabled and then there's some important bits just at the bottom here so for our certificate resolver we're going to use cloudflare because that's where we have our domain registered and I wanted to generate certificates for both of these records so Jim's Garage this is the root domain this is the highest level of the domain and I also want to create a subdomain wildcard so what does that mean that basically means that with this certificate I could have whatever I wanted dot Jim's Garage dot Co dot UK and it would say fine that's not a problem so I could have um home assistant or wire guard or Plex or jellyfin or whatever you want that is possible and then at the bottom I've also enabled the API which would allow you to do scraping and Metric Logs with things like Prometheus so you can actually present your traffic logs in nice fancy grafana dashboards and we'll get onto that later I showed you I have a few grafana dashboards in my home lab the last bit that's important on here is this network's proxy what's that well much like we've been virtualizing machines Docker also enables you to virtualize Networks so we're going to create a network specifically for the proxy now this is a little bit like when I was talking about security through vlans and multiple layers of networks this is effectively the same just within Docker itself so we will be able to put containers onto this virtual proxy Network that we want exposed to the internet and those containers won't be able to talk to any other container on our Network which is pretty good for security right so to do that we're also going to have to create that before we can use it and I'll show you how to do that really simple one command so let's have a look at these configuration files and what we need to do for those so I've gone into winscp and I've created those three files I've just put them in my Ubuntu Docker traffic so I have a slash doc compose slash traffic where I put my Docker compose file and then I also have in the home directory just a slash Docker where I put all of my persistent files so in here I've created an acme.json blank file now it's important that with this one you change the permissions it needs to have permissions of 600 if you have more permissions than 600 it will complain and say that it's overly permissive because that would be a security risk because it would mean that other users other groups could see the private key and that's not a good idea once you've had that private key compromise that certificate is no longer secure as I mentioned before the config for traffic is blank in this instance but there are a number of configurations options you could put in here if you had a more advanced setup and lastly the one that's important is this traffic.yaml so in here you want to copy this configuration down and it's basically building upon what we've put in the docker compose file so we're saying that we want the API enabled we're saying that we want an entry point of Port 80 and we want it to redirect to Port 443 we're going to secure skip verify that's true so what that means is it will ignore if there are any certificate errors internally we're saying we wanted to use the config file but we're leaving that blank for now just default and then again we're specifying what the certificate resolver is so again in this case it's cloudflare and we're doing an Acme DNS challenge as I said before so you need to provide your email address here the one that you register with cloudflare and then you need to say where you want to store it and we've already said the acme.json file that's where it's going to store your private key and we're going to do a DNS challenge with cloudflare and the resolvers for our DNS or the cloudflare IP so 1.1.1.1 and 1001 those are the primary and secondary DNS servers for cloudflare so we're going to say go and use your own resolver and this will hopefully speed it up a little bit I'll drop all of these files into the description and I'll put those on my GitHub page it's also worth noting that you can create all these files or he might actually argue you should create all these files through the command line and I'll put those commands up on the screen just so you have awareness you really do need to get familiar with these commands as it will make your life so much easier in the future but hey we're keeping it simple for now so let's go ahead and create our Network for traffic and there you go that's created we can verify that with importana and there it is so as I mentioned we need to generate the dashboard password so I'll show you how to do that so first of all we're going to do a sudo apt update just to get the latest versions of all the files we need put the password back in once that's pulled we need to run the next command so here you can see we're installing a utility called Apache 2 utilities I'm not going to bother updating these just because we don't need to update them just to run this simple command so then moving on to the command itself we want to create a password and we need to replace the user and the password so delete the brackets delete the capitals put in your username and your password those are the only things you need to change so let me just change mine to something simple so I've changed mine just to admin admin it goes without saying don't use this and there you can see it spat out this code here so what you want to do is copy that code and then paste it into your Docker compose config file where it says the password for the dashboard so now that you've got that in place we're pretty much ready to go so let's get this container running and let's check the logs to make sure that it pulls down the circuit correctly here we go let's change directory to where our Docker compose file is and then we're going to run the same command we've always run for spinning up a container and let's see what happens so there you go the container was pulled the container was started now let's check importana to see if that container is running everything looks fine let's have a look at those logs that looks fine it loaded the configuration from that traffic.yaml file that we specified excellent so let's check then hopefully if we go into the folder the acme.json file was empty we'd created a blank file let's refresh and see if that's still blank excellent they're 16 kilobytes worth of data now in that file so let's have a look inside there and there we go we can see that we've been generated a private key for both of the certificates that I requested fantastic so you can now go to your dashboard and you can view the traffic dashboard using https I.E is encrypted and it's valid excellent one thing to note that URL probably won't resolve what does that mean well you're going to type in traffic dashboard.yourdomain.com and it's going to say nope error it can't find it that's because you haven't specified the IP address on cloudflare you want to do that internally now you can either store that in your hosts configuration file so you would put traffic Dash dashboard.yourdomain.com and point it to the internal IP address of your Docker host and the way I do that is through pihull as an internal DNS resolver I'll be covering that shortly in some of the upcoming videos about how we deploy that but for now let's get on to something that we actually would want to do so for example we might now want to host a website with our nginx container and we can absolutely do that now that we have a valid SSL certificate and we know that our traffic's going to be encrypted so what steps do we need to take next well we're going to have to change our nginx container we're going to have to tell it now to sit on the proxy Network and we're going to have to fill out that label section similarly to what we did to the traffic container we're going to have to tell it to use things like we want the website address we want it to be redirected to say https and we need it to sit on that proxy Network that we created we also will have to port forward on our firewall thankfully in surface XG this is super easy so let's start with that first step let's recreate our nginx container to sit on the proxy Network and we need to add all of the configuration options to make it user certificates we've just created so going back to our nginx configuration I've now changed that Docker compose file to include those labels and the network proxy so not going to go through that again but as you can see it follows the same schematic as the traffic container and pretty much any container that you now want to run through the proxy and get all the benefits of a valid SSL certificate is as straightforward as copying that label block and putting it into the docker compose file it's a really efficient way to take advantage of traffic and all that it offers so go ahead and delete your previous container for nginx don't worry deleting the container will not delete the persistent data on the host it will simply delete the container so when you re-spin this up if you created a website or you have files in there it will create the new container and it will load all of those files back into it again demonstrating the benefits of containers and their ephemeral nature so let's run the nginx container again and let's see what happens so there we have the container downloaded and deployed without any errors let's refresh with importana and we can see that my Jim's Garage nginx container is available let's check the logs everything looks fine within there and we can log into the traffic dashboard and just validate that that's working now don't be alarmed this is my production my live environment I'm running kubernetes because I run traffic in kubernetes but the dashboard will be the same except mine's going to have a lot more stuff in it but you should be able to see now the nginx container that you spun up you should see your entry point at the top on that Port 80 and Port 443 and if we go in and have a look at the HTTP services at the top you should see in here your whatever you named your site so on mine I just called it Jim's Garage and here you can see this Jim's Garage is here so that takes us on to the next step in our configuration we now have our website hosting our content with a valid SSL certificate excellent the only problem is nobody externally can access that so how are we going to fix that well you've already got your IP address added to your domain record so when you query yourdomain.com or whatever it is it's going to be able to find your Home Server the problem is sofos XG is set up to default deny block I.E no ports are forwarded so there's no traffic getting through thankfully this is really simple and there's an automated wizard in sofas XG to do that so let's get on to that so all you need to do is log into sofas XG and on the left you need to go to the rules and policies menu within rules and policies click on the add firewall rule button and you'll want to click server access assistant dnat now I told you a bit about that before so this is simply a Nat a network address translation but the d stands for destination so let's click that now it's going to say where do you want this traffic to go to select a host so on here you can select your host for your Docker VM so as I mentioned before we want to create a static host a static IP for that host and then we can just simply reference it in here if you haven't done that you can simply put its IP address in but I recommend that you go ahead and create a static IP for it so I have my Docker host selected you're going to just click next you're going to select your IP address your Wan address so in my case that's Port B you're going to click next the next is going to show you the services you can access now what's the service well in this case it's simply what sofas XG calls common ports so for example HTTP would be a service that opens Port 80 https would be a service that's Port 443 you kind of get the idea so again where we've gone on to hosts and services you can add your own service and give it a friendly name so for this one we simply want to add HTTP and https so just go down tick both of those and hit apply then click next this is just validating where people can come from externally to access your service now because we're wanting to open it up to the Internet we're going to say any now you can also put Geo blocks on top of this as a separate firewall rule what's a geoblock so there might be certain countries territories Etc that you don't want to be able to access your website so you can just block that by putting an IP range Block in and that's actually nice and friendly with sofas XG as they give you the country names because they're typically assigned an IP block now as you know anyone can get around that with a VPN but it does help to cut down a bit of traffic so just hit next and then this is going to give you a summary of what the rule will do any traffic that is hitting your firewall on Port 80 or Port 443 it's going to send it to your Docker host on that Port now we have bound traffic to Port 80 and Port 443 so that traffic will hit the firewall the firewall will root it will forward that on port forward it will forward it to the traffic host the traffic host will be able to intercept what the domain name was so in my case Jim's Garage and it knows that Jim's Garage is assigned to the nginx container if for example it was a Plex dot Jim's Garage or a jellyfin.jim's garage it would also know that and be able to root it to the right container and again this is why traffic's really awesome because it's Dynamic so you can just dynamically assign subdomains domain names to it and it will automatically figure out and Route all of that traffic for you so go ahead click save and finish and then that will deploy that rule and fingers crossed you should now be able to type your domain into your address bar and hit your nginx website so let's go and test that out and there we go we can see Jim's Garage um yep bit of Shameless self-promotion there and the reason why we've done all of this let's click that padlock connection is secure good let's have a look at that certificate is valid let's inspect that and there we go common name Jim's Garage provided by let's encrypt it was issued a few days ago because I'd recorded this earlier and it expires on the 16th of August 2023 and it will automatically be renewed every three months by traffic you can see the fingerprints for this certificate and you can also see more details if you want so hopefully now you have everything in place to enable internet users to access your web server securely I'll see you on the next video take care [Music]
Info
Channel: Jim's Garage
Views: 17,326
Rating: undefined out of 5
Keywords: traefik, ssl, certificates, letsencrypt, cloudflare, docker, proxmox, linux, https
Id: XH9XgiVM_z4
Channel Id: undefined
Length: 28min 17sec (1697 seconds)
Published: Sun May 28 2023
Related Videos
Deploy PiHole with a Cloudflare Tunnel to Protect Your Privacy - Tutorial
Jim's Garage
7.8K
Installing Teleport + Traefik (Letsencrypt TLS certs)
Christian Lempa
28K
DON'T Expose Internal Applications To The Internet! Restrict Access NOW!
Jim's Garage
11K
Free SSL Certs in Kubernetes! Cert Manager Tutorial
Christian Lempa
44K
TRAEFIK - the BEST reverse proxy? The Ultimate Setup Guide with Docker & Let's Encrypt
Tech with Marco
15K
Is this the BEST Reverse Proxy for Docker? // Traefik Tutorial
Christian Lempa
435K
Wildcard Certificates with Traefik + cert-manager + Let's Encrypt in Kubernetes Tutorial
Techno Tim
73K
HomeLab SSL certificates for FREE with minimal effort
Perkelator
6.9K
how did I NOT know about this?
NetworkChuck
673K
Open Source & Collaborative Security with CrowdSec and Traefik - CrowdSec & Traefik Tutorial
Techno Tim
72K
Self Hosting on your Home Server - Cloudflare + Nginx Proxy Manager - Easy SSL Setup
Raid Owl
244K
Learn vLANs, Subnets, and NAT to Improve Your Network Security
Jim's Garage
4.6K
Quick and Easy SSL Certificates for Your Homelab!
Wolfgang's Channel
423K
Kubernetes At Home: What Is Kubernetes? - Part 1
Jim's Garage
11K
Software Defined Network Guide - SDN - How To Create
Jim's Garage
15K
Proxmox (v8.0+) Let's Encrypt Tutorial
Trey Does Devops
4.1K
Single Sign On With OAuth2.0 - Authentik Is AWESOME!
Jim's Garage
11K
Put Wildcard Certificates and SSL on EVERYTHING - Traefik Tutorial
Techno Tim
502K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.